THE THREAT
eSentire is aware of multiple reports [1] [2] attributing recent Device Code Authentication phishing campaigns to Russian state-sponsored APT groups. Device Code Authentication phishing involves a victim entering a threat-actor generated device code into a legitimate Microsoft Device Code Authentication workflow. Using the threat actor provided code would provide threat actors with a valid access token, allowing them to access connected victim resources including accounts, emails, and cloud storage without requiring a password. Persistent access to victim accounts is established for as long as the compromised token remains valid.
Real-world attacks have resulted in reconnaissance activity, the theft of sensitive information, and the misuse of compromised accounts to conduct additional phishing attacks.
While Device Code Authentication phishing is not novel, its recent use by multiple threat actor groups indicates wider adoption and a potential increase in related attacks. Organizations are strongly encouraged to set conditional access policies on Microsoft 365 tenants to defend against similar activity.
What we’re doing about it
-
eSentire MDR for Log has detections in place to identify risky sign-on activity
-
eSentire’s Tactical Threat Response team is in the process of developing additional detections to identify Device Code Authentication phishing
-
eSentire's Threat Response Unit has performed threat hunts for known Indicators of Compromise across customer environments
-
IP addresses associated with real-world attacks are blocked via the eSentire Global Block List
-
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
-
Enable Conditional Access policies to restrict user access to expected locations or from trusted devices, or block device code flows where possible
-
Implement sign-in risk policies which can be used to block sign in attempts based on risk conditions
-
Monitor for anomalous token or PRT activity around close-in-time device registrations and enforce enrollment restrictions to limit unauthorized device enrollment in Entra ID
-
Ensure employees are aware of common phishing tactics and implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape
Additional information
Recently observed campaigns have been attributed to Russian-based threat actors including Storm-2372, CozyLarch, UTA0304, and UTA0307. Threat actors have been observed targeting government and non-governmental organizations within Information Technology (IT), defense, telecommunications, health, education, and energy industries. Organizations have been targeted within Europe, North America, Africa, and the Middle East. The threat actors have been reported to be impersonating individuals from various organizations, including the United States Department of State, Ukrainian Ministry of Defense, European Union Parliament, and research institutions.
The phishing attack consists of users receiving spear-phishing emails, or messages through WhatsApp or Signal. These phishing messages are followed by invitations to join Microsoft Teams chatrooms, Element chatrooms (an encrypted messaging application), or be granted access to the Microsoft 365 tenant of the organization that the threat actor is posing from, as an external user.
Regardless of the lure used, all hyperlinks within the phishing emails either redirect or lead the victim directly to the legitimate Microsoft Device Code OAuth workflow. The threat actor instructs the user to enter a code that they have generated into this workflow. Once the user continues with the authentication process, the threat actor is granted access to the user's Office 365 account. In one instance of the attack, an interstitial page was observed prior to the Microsoft Device Code OAuth workflow which provided the code for the victim to enter, rather than being provided in real-time by the threat actor. As Device Codes are only valid for 15 minutes after being generated, this method removes the expiration time of the phishing attack.
Once access has been gained access to the users account, post-exploitation activity observed includes the threat actor attempting to move laterally by sending out additional phishing messages from the victim’s account to other internal users. Threat actors have also been observed using Microsoft Graph to search through messages containing key words such as 'username', 'password', 'admin', 'teamviewer', 'anydesk', 'credentials', 'secret', 'ministry', and 'gov'. Emails found from the above searches were observed being exfiltrated, along with other documents that may be of interest to the threat actor.
In the latest updates, Microsoft has identified a shift in Storm-2372’s tactics, leveraging a specific client ID for Microsoft Authentication Broker in the device code sign-in flow. This method grants the actor a refresh token, enabling them to register an attacker-controlled device within Entra ID and obtain a Primary Refresh Token (PRT) to access organizational resources. Furthermore, Storm-2372 has been observed leveraging proxies that align with the target's region, likely to evade detection.
References:
[1] https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
[2] https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/
[3] https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
[4] https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies
[5] https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities#configure-device-settings
[6] https://www.esentire.com/what-we-do/security-awareness-training-managed-phishing-training
